(In) security of quantum oblivious transfer based on secure bit commitment 
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While unconditionally secure bit commitment (BC) is considered impossible within the quantum 
framework, it can be obtained under relativistic or other settings. Here we study whether these BC 
can lead to secure quantum oblivious transfer (QOT). The answer is not completely negative. On 
one hand, we provide a detailed cheating strategy, showing that the "honest-but-curious adversaries" 
in some of the existing no-go proofs on QOT still apply even if secure BC is used. On the other 
hand, it is also found that some other no-go proofs become invalid in this scenario, because their 
models of cryptographic protocols are too ideal to cover BC-based QOT. 

PACS numbers: 03.67.Dd, 03.67.Ac, 42.50.Dv, 03.65.Ud, 03.30.+p 



I. INTRODUCTION 

Besides the well-known quantum key distribution 
(QKD) 1], bit commitment (BC) and oblivious transfer 
(OT) are also essential cryptographic primitives. It was 
shown that OT is the building block of multi-party se- 
cure computations and more complicated ''post-cold-war 
era" multi-party cryptographic protocols [2[, and quan- 
tum OT (QOT) can be obtained basing on quantum BC 
(QBC) [3]. But it is widely accepted that uncondition- 
ally secure QBC is impossible within the quantum frame- 
work 4]- 29]. This result, known as the Mayers-Lo-Chau 
(MLC) no-go theorem, is considered as putting a seri- 
ous drawback on quantum cryptography. Obviously, it 
indicates that QOT built upon QBC cannot be secure 
either. This stimulated the emergence of many other 
no-go proofs on quantum two-party secure computations 
including QOT 

Nevertheless, Kent showed that BC can be uncondi- 
tionally secure under relativistic settings (39l - l42l | . Also, it 
was found that the MLC theorem may not be sufficiently 
general to cover two recent QBC protocols [43|,[44|]. Many 
"practical" QBC protocols were proposed too, which are 
secure if the participants are limited by some experimen- 
tal constraints (see the introduction of Ref. [43[ for a de- 
tailed list). There is also device- independent QBC [45j . 
which, though not unconditionally secure, has the ad- 
vantage that it does not rely on any assumption on the 
internal working of the physical devices, so that the secu- 
rity will not be affected even if the devices are fabricated 
by the cheater. 

Therefore, it is natural to ask whether these BC pro- 
tocols can lead to secure QOT. That is, suppose that any 
setting or constraint required to guarantee the security 
of the above BC protocols is satisfied, so that the par- 
ticipants can use them as a secure "black box" without 
caring the internal details of these protocols. Then we 
put no constraint (except these forbidden by fundamen- 
tal physics laws) on the participants' behaviors in other 



steps of the BC-based QOT. Will the no-go proofs of 
QOT still apply? And how? 

In this paper, the answer is twofold. On one hand, 
we will give a cheating strate gy in details, showing that 
some of the no-go proofs |3ll437j | remain valid even if 
QOT is based on secure BC. On the other hand, we found 
that some other no-go proofs [3(1 HH no longer work in 
such a QOT protocol, revealing that these proofs are not 
sufficiently general. 



II. DEFINITIONS 

BC is a cryptographic task between two remote par- 
ties Charlie and Diana (generally called Alice and Bob in 
literature. But to avoid confusing with the roles in OT, 
here we name them differently) . It generally includes two 
phases. In the commit phase, Charlie decides the value 
of the bit x (x — or I) which he wants to commit, 
and sends Diana a piece of evidence. Later, in the un- 
veil phase, Charlie announces the value of x, and Diana 
checks it with the evidence. An unconditionally secure 
BC protocol needs to be both binding (i.e., Charlie can- 
not change the value of x after the commit phase) and 
concealing (Diana cannot know x before the unveil phase) 
without relying on any computational assumption. 

In the quantum case, Charlie's input can be more com- 
plicated. Besides the two classical values and 1, he can 
commit a quantum superposition or mixture of the states 
corresponding to x — and x = 1, so that x can be un- 
veiled as either or 1 with the probabilities po and p±, 
respectively. More specifically, suppose that a QBC pro- 
tocol requires Charlie to send Diana a quantum system 
^ as the evidence in the commit phase, whose state is 
expected to be IV'o)^ (if x = 0) or IV'i)^ (if x = !)■ Then 
Charlie can introduce another system C, and prepare 
C ® 4" in the entangled state 



pI /2 \co)c ® IV'o}* 



Pi 2 \ci) c ® W. 



(1) 
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where \co) c and \ci) c are orthogonal. He sends W to 
Diana and keeps C to himself. When it is time to un- 
veil, Charlie measures C in the basis {|cq) c , |ci) c }, and 
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unveils the committed a; as (or 1) if the result is \cq) c 
(or \ci) c ). With this strategy, his commitment was kept 
at the quantum level until the unveil phase, instead of 
taking a fixed classical value. 

According to Kent 46] , this "is not considered a secu- 
rity failure of a quantum BC protocol per se" . As long 
as a BC protocol can force Charlie to commit to a proba- 
bility distribution (poj.Pi) which cannot be changed after 
the commit phase, and (po +pi) — 1 can be made arbi- 
trarily close to by increasing some security parameters 
of the protocol, then it is still considered as uncondition- 
ally secure. On the other hand, if a protocol can further 
force Charlie to commit to a particular classical x, i.e., 
besides po + pi — > 1 , both po and p\ can only take the 
values or 1 instead of any value in between, then it is 
called a bit commitment with a certificate of classicality 
(BCCC). All the above mentioned BC protocols [H-[i| 
are not BCCC, and unconditionally secure BCCC seems 
impossible 46] . Therefore, in the following when speak- 
ing of secure BC, we refer to the non-BCCC ones only, 
except where noted. 

OT is also a two-party cryptography. There are two 
major types of OT in literature. Using Crepeau's de- 
scription [47| . they are defined as follows. 

Definition A: All-or-nothing OT (AoN OT) 
(A-i) Alice knows one bit b. 

(A-ii) Bob gets bit b from Alice with the probability 
1/2. 

(A-iii) Bob knows whether he got b or not. 

(A-iv) Alice does not know whether Bob got b or not. 

Definition B: One-out-of-two OT (1-2 OT) 
(B-i) Alice knows two bits bo and b\ . 
(B-ii) Bob gets bit bj and not bj with Pr(j = 0) = 
Pr(j = 1) = 1/2. 

(B-iii) Bob knows which of &o or b\ he got. 
(B-iv) Alice does not know which bj Bob got. 

We will study BC-based AoN OT first, and come back 
to 1-2 OT later. 



III. INSECURITY 

According to Yao [3(, AoN QOT can be built upon BC 
as follows. 

The BC-based AoN QOT protocol: 

(I) Let |0, 0) and |0,1) be two orthogonal states of a 
qubit, and define |1,0) = (|0,0) + |0, 1) )/%/2, |1,1) = 
(|0, 0) — 10, l))/\/2. That is, the state of a qubit is denoted 
as \ai,gi), where a>i represents the basis and gi distin- 
guishes the two states in the same basis. For i = 1, n, 
Alice randomly picks a;, <?; 6 {0, 1} and sends Bob a qubit 
4>i in the state \a,i,gi). 

(II) For i = l,...,n, Bob randomly picks a basis bi G 
{0,1} to measure & and records the result as \bi,hi). 
Then he commits (bi, hi) to Alice using the BC protocol. 



(III) Alice randomly picks a subset R C {1, ...,n} and 
tests Bob's commitment at positions in R. If any i 6 R 
reveals ctj = bi and gi ^ hi, then Alice stops the protocol; 
otherwise, the test result is accepted. 

(IV) Alice announces the bases ai (i — l,...,n). Let 
To be the set of all 1 < i < n with = bi, and T\ 
be the set of all 1 < i < n with ai ^ bi. Bob chooses 
Jo C T - R, h C Ti - R with |/ | = |7 X | = 0.24n, and 
sets {Jo, Ji} = {Iq, h} or {Jo, Ji} = Iq} at random, 
then sends { Jo, Ji} to Alice. 

(V) Alice picks a random s € {0, 1}, and sends s, /3 S = 
b © 9i to Bob. Bob computes b = (3 S (J) hi if J s = ioj 

otherwise does nothing. 

Now suppose that the BC protocol used in this QOT 
is secure. That is, no matter we are using the QBC 
protocols proposed in Refs. [U HJ], or relativistic BC 
39 42]. or even "practical" QBC protocols listed in the 
introduction of Ref. [43[ , we assume that all the security 
requirements (e.g., relativistic settings or experimental 
limitations) are already met, so that Bob does not have 
unlimited computational power to cheat within the BC 
stage. In this case, the validity of the no-go proofs of 
QOT [30l438j ] cannot be taken for granted, because all 
these proofs were derived without implying any limita- 
tion on the computational power of the cheater. 

Intri guingly , the conclusions of some of the no-go 
proofs [3ll437j ] remain valid, that unconditionally secure 
QOT is still impossible in this case. The key reason is 
that secure BC, being not a BCCC, cannot avoid the par- 
ticipant keeping the commitment at the quantum level 
instead of taking a fixed classical value. Kent [39] briefly 
mentioned that it will allow more general coherent quan- 
tum attacks to be used on schemes of which BC is a 
subprotocol, but no details of the cheating strategy was 
given. Here we will elaborate how Bob can make use of 
this feature to break the BC-based QOT protocol. 

For each <fii (i = l,...,n), a dishonest Bob does not 
pick a classical bi and measure it in step (II). Instead, 
he introduces two ancillary qubit systems Bi and Hi as 
the registers for the bits bi and hi, and prepares their 
initial states as \Bi) = (|0) S + |1) B )/V2 and \H t ) = |0) H , 
respectively. Here |0) and |1) are orthogonal. Then he 
applies the unitary transformation 

Ux = |0) B (0|® |0,0^<0,0|® I ff 

+ |0) B <0|® 10,1)^(0,11®^ 
+ |1) B (1|®|1,0^(1,0|® I H 

+ |1) B (1|®|1,1) (1,1|®<7^ (2) 

on the system Bi®4>i®Hi. Here Ih and a H are the iden- 
tity operator and Pauli matrix of system Hi that satisfy 

Ih |0) h = \Q)h and o$ |0) H = \l) H , respectively. The 
effect of U\ is like running a quantum computer program 
that if \Bi) = |0) B (\Bi) — \l) B ) then measures qubit 4>i 
in the basis bi = (bi = 1), and stores the result hi in 
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system Hi. It differs from a classical program with the 
same function as no destructive measurement is really 
performed, since U\ is not a projective operator. Conse- 
quently, the bits hi and hi are kept at the quantum level 
instead of being collapsed to classical values. 

Bob then commits (bi,hi) to Alice at the quantum 
level. This can always be done in a BC protocol which 
does not satisfy the definition of BCCC. For example, to 
commit bi, Bob further introduces two ancillary systems 
E and '5 and prepares the initial state as 



|e ) B ® \ipo)a, ■ 



(3) 



Let Ue®^ be a unitary transformation on E®^ satisfying 
U E ®<s |e ) B ® l^o)* = |ei)jg ® Wi)^- Here |^ )*, l^i)* 
have the same meanings as these in Eq. ([IJ, and |eo) B , 
\e\) E are orthogonal. Bob applies the unitary transfor- 
mation 



U2 = |0) J 



+ <1| ® ( 4 ) 



on system Bi<E)E<E>^, where Ie®^ is the identity operator 
of system E ® \£. As a result, we can see that the final 
state oi Bi ® tfii <3 Hi ® E <g> will be very similar to Eq. 
([T]) if we view Bi® 0j ® Hi® E as system C. Then Bob 
can follow the process after Eq. ([T]) (note that now Bob 
plays the role of Charlie) to complete the commitment of 
6j without collapsing it to a classical value. He can do 
the same to hi. 

Back to step (III) of the QOT protocol. Whenever 
(bi, hi) (i € R) are picked to test the commitment, Bob 
simply unveils them honestly. Since these {hi, hi) will no 
longer be useful in the remaining steps of the protocol, it 
does not hurt Bob's cheating. Note that the rest (bi,hi) 
(i ^ R) are still kept at the quantum level. After Alice 
announced all bases (i = 1, n) in step (IV), Bob 
introduces a single global control qubit 5" for all i, ini- 
tialized in the state \s') = (\0) s , + \l) s ,)/y/2, and yet 
another ancillary system Ti for each i E Tq U T\ — R 
initialized in the state \Ti) = |0) r . Then he applies the 
unitary transformation 



U 3 = \0) s ,(0\®\ai) B {ai\®I T 

+ \0) s , (0| ® |->Oi) B <-iOi| ® o£ x) 
+ |l) s< (l\®\ai) B { ai \®4 x) 

+ \i) s , (i| ® hoi) B (-.ail ®/ r 



(5) 



on the incremented system S' ® Bi®Ti. Here ir and <7p^ 
are the identity operator and Pauli matrix of system Ti 
that satisfies It |0) r = |0) r and |0) r = |l) r , respec- 
tively. The effect of U3 is to compare with bi and store 
the result (aj 7^ &i) © s' in IV Bob then measures all Ti 
(leToUTi- i?) in the basis {|0) r , |l) r }, takes T (T x ) 
as the set of all 1 < i < n with \T t ) = |0) r (|r<> = |l) r ) 
instead of how they were defined in step (IV) , and always 
sets Jo C T — R, Ji Q Ti — R to finish the rest parts of 
the QOT protocol. 



With this method, the relationship between Jo, Ji and 
Io, I\ are kept at the quantum level. Since Iq (Ji) denotes 
the set corresponding to <Zj = bi (at ^ bi). We can see 
that U3 makes Jo = Io, J\ = I\ when s' = 0, while 
Jo = I\, J\ = Iq when s' = 1. As S' was initialized as 
I s ') = (|0) s < + \ l ) S >)/V2, the actual result of step (IV) 
can be described by the entangled state 



S'® ((g) 



Hi ® E') 



-> l $ fc> = (|0) S /®|Jo = ioVJi=/i> 
+ \l) s , ®|J =iiV Jx=I ))/V2. 



(G) 



Here £^ stands for all the ancillary systems Bob 
introduced in the process of committing (bi,hi). 
I Jo = Io V Ji = Ji) denotes the state of system ®Bi <8> 

i 

4>i®Hi® E' i; in which the subsystems Bi and Hi contain 
the correct bi and hi corresponding to Jq = Io V Ji = I\ . 
The meaning of | Jo = I\ V J± = Iq) is also similar. 

After Alice announced s and /3 S in step (V), the sys- 
tems under Bob's possession can be viewed as 

= (|«) s , ® I J s - Jo) + hs) s , ® \fail))/V2. (7) 

It means that if Bob measures system S' in the basis 
{|0) s , , |l) s ,} and the result \s') s , satisfies s' = s, then 
he is able to measure the rest systems and get all the 
correct hi to decode the secret bit b unambiguously; else 
if the result satisfies s' ^ s, then he knows that he fails 
to decode b. Now the most tricky part is, as the value 
of s' was kept at the quantum level before system S' 
is measured, at this stage a dishonest Bob can choose 
not to measure S' in the basis {|0) s , , |1) 5 ,}. Instead, by 
denoting |6) = \s) s , ® | J s = Io), and |?) = \^s) s , ® \fail), 
Eq. © can be treated as \$ b ) = (\b) + |?))/V2 where 
\b = 0) = ( 1 ) T , \b = 1) = ( 1 ) T , and |?) = 
(0 1 ) T are mutually orthogonal. Then according to 
Eq. (33) of Ref. [33l |. Bob can distinguish them using the 
positive operator- valued measure (POVM) (Eq,I — Eq), 
where 



E = 



2 + V3 

-1 2 
1 + V3 1 



-1 i + Vs 
Vz 2 



(8) 



This allows Bob's decoded b to match Alice's actual in- 
put with reliability (1 + v / 3/2)/2 [33]. On the contrary, 
when Bob executes the QOT protocol honestly, in 1/2 of 
the cases he can decode b with reliability 100%; in the 
rest 1/2 cases he fails to decode b, he can guess the value 
randomly, which results in a reliability of 50%. Thus the 
average reliability in the honest case is 100%/2+50%/2 = 
75% < (1 + a/3/2) /2. Note that in the above dishonest 
strategy, in any case Bob can never decode b with relia- 
bility 100%. Therefore it is debatable whether it can be 
considered as a successful cheating, as the strategy does 
not even accomplish what an honest Bob can do. That 
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is why it is called /ionesf-but-curious adversary [34j, l35| , 
i.e., in some sense it may still be regarded as honest be- 
havior instead of full cheating. Nevertheless, it provides 
Bob with the freedom to choose between accomplishing 
the original goal of QOT or achieving a higher average re- 
liability, which could leave rooms for potential problems 
when building even more complicated cryptographic pro- 
tocols upon such a BC-based QOT. 

The above cheating strategy is basically the same we 
proposed in section 5 of Ref . [43| , which was applied to 
show why the specific QBC protocol in the same refer- 
ence cannot lead to secure QOT. But here we can see 
that its power is not limited to the QBC protocol in Ref. 

Especially, Bob's steps related with Eqs. (|3]) and 
(j4|) will always be valid as long as the BC protocol used 
in QOT is not a BCCC, as they do not involve the details 
of the BC process. Thus we reach a much general result, 
that any BC (except BCCC) cannot lead to uncondition- 
ally secure AoN QOT using Yao's method Q. It covers 
not only unconditionally secure QBC, but also relativis- 
tic BC (both classical [33,|4(| and quantum ones [4ll.l42j) 
and practically secure QBC (e.g., those listed in the in- 
troduction of Ref. 43] ) , even if all the requirements for 
them to be secure are already met. In this sense, QOT 
is more difficult than QBC, in contrast to the classical 
relationship that OT and BC are quivalent. 

This result shows that the original security proof of 
BC-based QOT Q is not general. The proof claimed 
that as long as the BC protocol is unconditionally se- 
cure, then the QOT protocol built upon it will be uncon- 
ditionally secure too. But now we can see that it may 
still be valid for BCCC-based QOT, but fails to cover all 
unconditionally secure BC. 

Now consider 1-2 OT. It can be built upon BC in much 
the same way as the above BC-based AoN QOT protocol, 
except that step (V) should be modified into: 

(V) Alice sends O = b g { and ft = bi gt 
to Bob. Bob computes bo — /3q hi if Jo = Iq, or 

&i=A © hif J X = I Q . 

■ieJi 

Bob can also apply the above cheating strategy, so that 
the result of step (IV) is still described by Eq. ©. After 
Alice announced f3o and j3% in step (V), if Bob wants to 
decode b n , he can treat the right-hand side of Eq. ^ as 

= (|0) 5 , ® | Jo = J ) + |1> S , ® \fail))/V2, (9) 

else if he wants to decode b\ , he can treat it as 

|$ b > = (|0) s , ® \fail) + \l) g , ® | Ji = I ))/V2. (10) 

Comparing these two equations with Eq. ([7]), we can see 
that they both have the form |$ 6 ) = (\b) + |?))/v / 2- Thus 
Bob can still apply the POVM described by Eq. © to de- 
code the bit he wants. Consequently, he can decode one 
of b and b\ at his choice with reliability (1 + \/3/2)/2. 
Again, despite that the value is higher than the average 



reliability of the honest behavior, in the current case Bob 
can never decode the bit with reliability 100%. Thus it 
still belongs to the honest-but-curious adversaries. Also, 
it is important to note that the POVM (Eq, I — Eq) is a 
two- value measurement that can obtain one bit of infor- 
mation only, and the POVMs corresponding to Eq. © 
and Eq. (JTUJ) are not the same. Therefore Bob can pick 
only one of them to increase the average reliability of one 
of bo and b\ , instead of decoding both bits simultaneously. 

From the above cheating strategies, we can see that 
Bob's key idea is to keep introducing quantum entangle- 
ment to the system, which enables him to keep more and 
more data at the quantum level, so that he can have the 
freedom on choosing different measurements at a later 
time. This gives yet another example showing the power 
of entanglement in quantum cryptography. 

IV. SECURITY 

The above honest-but-curious adversaries indicate that 
the BC-based QOT protocol is not unconditionally se- 
cure, which is in agreement with the conclusion of the 
no-go proofs of QOT (3lT[37| . Nevertheless, we will show 
below that this protocol is secure ag ainst the cheating 
strategy in other no-go proofs [30l . [38f . 

In Lo's no-go proof [3fJ, the following definition of 1-2 
OT was proposed. 

Definition C: Lo's 1-2 OT 

(C-i) Alice inputs i, which is a pair of messages 
(mo, mi). 

(C-ii) Bob inputs j = or 1. 

(C-iii) At the end of the protocol, Bob learns about the 
message rrij, but not the other message mj, i.e., the pro- 
tocol is an ideal one-sided two-party secure computation 
f(m ,mi,j = 0) = m Q and /(m ,mi,j = 1) = mi. 

(C-iv) Alice does not know which rrij Bob got. 

It was introduced as a special case of the ideal one- 
sided two-party quantum secure computations, defined 
in Lo's proof as follows. 

Definition D: ideal one-sided two-party secure compu- 
tation 

Suppose Alice has a private (i.e. secret) input 
i G {l,2,...,n} and Bob has a private input j G 
{l,2,...,rn}. Alice helps Bob to compute a prescribed 
function f(i,j) G {1,2, in such a way that, at the 

end of the protocol: 

(a) Bob learns f(i,j) unambiguously; 

(b) Alice learns nothing [about j or f(i,j)}; 

(c) Bob knows nothing about i more than what logi- 
cally follows from the values of j and f(i,j)- 

Lo's proof [30] showed that any protocol satisfying Def- 
inition D is insecure, because Bob can always obtain all 
f{hj) {j £ {L 2, m}). As a corollary, secure 1-2 OT 
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satisfying Definition C is impossible, as Bob can always 
learn both mo and m\. 

This result is surprising. As shown in the previous 
section, other no-go proofs [3p - [37| claimed that QOT is 
insecure, merely because Bob can increase the average 
reliability of the decoded value of one of mo and m\. It 
is never indicated in Refs. [3iT[37| that he can decode 
both of them simultaneously. Thus the cheating strategy 
in Lo's proof (30l | seems more powerful. 

However, it will be shown below that Lo's proof is not 
sufficiently general to cover all kinds of QOT. We must 
notice that Definition C is not rigorously equivalent to 
Definition B. An important feature of Definition C is that 
all Alice's (Bob's) input to the entire protocol is merely 
i = {m ,mi} (j — {0, 1}). Furthermore, as can be seen 
from (C-i) and (C-iii), the inputs i and j are indepen- 
dent of each other. But in general, seldom any protocol 
satisfies these requirement. That is, let us denote all Al- 
ice's (Bob's) input to a protocol as / (J). In Definition 
C there is I = i, J = j, and /, J are independent. But 
most existing quantum cryptographic protocols generally 
have I Z) i, J D j, and /, J are dependent of each other. 

For example, in the well-known Bennett-Brassard 1984 
(BB84) QKD protocol [l|, though the aim of Alice and 
Bob is to share a secret key k, the protocol cannot be 
modeled as a simple box to which Alice inputs fc, then 
Bob gets the output k. Instead, more inputs of both 
participants have to be involved. Alice should first in- 
put some quantum states (denoted as input ii), and 
Bob inputs and announces his measurement bases (in- 
put ji). Then Alice tells Bob which bases are correct 
(input 12), followed by a security check in which Bob 
reveals some measurement results (input and Alice 
verifies whether these results are correct or not (input 
13). Alice also reveals some results for Bob to verify . . . 
Finally they obtain k from the remaining unannounced 
measurement results. Obviously Alice cannot determine 
«2 without knowing ji, Bob's j'2 will be affected by Al- 
ice's ii,... , the final key k is also affected by the i's and 
j's. Thus we see that in the BB84 protocol, the inputs 
/ = {£i,i2, • • •} and J = {ji, • ■ •} are dependent of 
each other. For an eavesdropper, even though parts of I 
and J are revealed, it is still insufficient to decode k. 

This is also the case for OT. Alice and Bob generally 
need to send quantum states, perform operations and 
exchanges lots of information throughout the entire pro- 
tocol. All these (e.g., Alice's {a,i,gi}, i?, /?o, /3i and Bob's 
{bi, hi}, { J , Ji} in the protocol in section 3) should be 
treated as parts of their inputs. Consequently, there is 
I D i and J D j. Definition B requires that Alice has 
zero knowledge about j. But it does not necessarily imply 
that she has zero knowledge about J. Therefore / and 
J can be dependent of each other. Indeed, step (V) of 
the BC-based 1-2 QOT protocol in section 3 clearly shows 
that / includes not only the secret bits bo and 61, but also 
depends on how Bob selects Jo and Ji in step (IV) . Mean- 
while, Bob's announcing Jo and J\ does not necessarily 
reveal his choice of j. Therefore, comparing with Defini- 



tions C and D, the BC-based 1-2 QOT protocol cannot 
be viewed as an ideal function /(i(mo, mi), j), where i 
and j are merely the private inputs of Alice and Bob, 
respectively. Instead, it has the form /(/(mo, mi, J), J), 
where Alice' input / will be varied according to Bob's in- 
put J, and its value is not determined until Bob's input 
has been completed. That is, BC-based 1-2 QOT does 
not satisfy Definition C. 

With this feature, the cheating strategy in Lo's proof 
can be defeated, as it was pointed out in Ref. (48j 
which will be reviewed below. According to Lo's 
strategy, Bob can cheat in 1-2 OT satisfying Defini- 
tion C, because he can change the value of j from 
Ji to ]2 by applying a unitary transformation to his 
own quantum machine alone. This enables him to 
learn /(i(mo, mi), ji) and /(i(mo, mi), J2) simultane- 
ously without being found by Alice. However, in a 
protocol described by the function /(/(mo, mi, J), J), a 
value in the form /(/(mo, mi, J(i)), ^(2)) (with J/w de- 
noting Bob's input corresponding to jk) will be mean- 
ingless. Without the help of Alice, Bob cannot change / 
from /(mo, m±, J(i)) to /(mo, mi, J(2))- Hence he cannot 
learn /(/(m , m x , J (1) ), J (1) ) and /(/(m , mi, J (2) ), J( 2 )) 
simultaneously by himself. Thus the BC-based 1-2 QOT 
protocol is immune to this cheating. 

Now we prove it in a more rigorous mathematical form, 
following the procedure in the appendix of Ref. [48| . Ac- 
cording to the cheating strategy in Lo's proof as shown 
in section III of Ref. [3(| , in any protocol satisfying Def- 
inition D, Alice and Bob's actions on their quantum ma- 
chines can be summarized as an overall unitary transfor- 
mation U applied to the initial state \u) in € Ha ® Hb, 
i.e. 

W)fin = U \ u )in- (11) 
When both parties are honest, \u h ) = \i) A ® \j) B and 

\u h ) fin = \v ij ) = U{\{) A ®\j) B ). (12) 

Thus the density matrix that Bob has at the end of pro- 
tocol is 

= Tr A \v ij ){v ij \. (13) 

Bob can cheat in this protocol, because given ji , j 2 € 
{1, 2, m}, there exists a unitary transformation U J1,n 
such that 

jjjuhpijigjjuhyi =p i,h (14) 

for all i. It means that Bob can change the value of 
j from ji to J2 by applying a unitary transformation 
independent of i to the state of h is q uantum machine. 
This equation is derived as follows [30(. 

Alice may entangle the state of her quantum machine 
A with her quantum dice D and prepares the initial state 

-^Ei i >^i^- (1 5 ) 
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She keeps D for herself and uses the second register A to 
execute the protocol. Supposing that Bob's input is j ll 
the initial state is 

\ U ') i n = ^J2\ i )D®\i)A®\h) B - (16) 
v i 

At the end of the protocol, it follows from Eqs. (fTTj) and 
(|T5)) that the total wave function of the combined system 
D, A, and B is 

K>» = -i E I 1 >d ® ^(Wa ® (17) 

Similarly, if Bob's input is the total wave function at 
the end will be 

K) in = -j= E V)d ® U{\i) A ® |i a ) B ). (18) 

Due to the requirement (b) in Definition D, the reduced 
density matrices in Alice's hand for the two cases j = j\ 
and j = j2 must be the same, i.e. 

pg** = Tr B \v h ) (v n | = Tr B \v 32 ) (v h \ = pf 2 Hce . (19) 

Equivalently, \vj ± ) and \vj 2 ) have the same Schmidt de- 
composition 

K) =Y, ak \ a ^AD® \Pk) B (20) 
k 

and 

K) = Y. ak \ ak )AD® \P'k) B - (21) 

k 

Now consider the unitary transformation U n ' n that ro- 
tates \Pk) B to \/3' k ) B . Notice that it acts on H B alone and 
yet, as can be seen from Eqs. ([2U)) and (|2"Tj) . it rotates 
\v n ) to \v h ), i.e. 

K) = U jl ' h \ Vjl ) . (22) 

Since 

d (i \vj) = -4= \vij) (23) 
V n 

[see Eqs. (dU, (dTJ), and (p]l ]. by multiplying Eq. (|22j) 
by d (i| on the left, one finds that 

l«« a > = C /il * i2 Ki> ■ (24) 

Taking the trace of |uy 2 ) (wy 2 | over i?^ and using Eq. 
(12^1) . Eq. (HU) can be obtained. 

Eqs. (llip - p4|) are exactly those presented in Lo's 
proof [30(. We now consider the BC-based 1-2 QOT pro- 
tocol. Since it has the feature that Alice's input / is 
dependent of Bob's input J, in the above proof, all i in 



the equations should be replaced by I(J) from the very 
beginning. Consequently, Eq. ([2^| becomes 

D (J(J)| vj) = ±= \v I{J)J ) . (25) 

In this case, multiplying Eq. (|22|) by d (1(2) \ (1(2) = 
I{J(2)) for short) on the left cannot give Eq. ([23)1 any 
more. Instead, the result is 

h 2) J (2 ,) = ^ J<1) ' J(2) ^ /(1) ' /<2) K)J W >> ( 26 ) 

where U 1 ^' 1 ^ = D \l(2)) (l(i)\ D - Then Eq. (dU) is re- 
placed by 

jj J (i)< J (2) jjhi) > J (2) p 7 <i) ' J (i) (u J (i)- J m U I{1) ,/(2) ) _1 = ,o /(2) ' J<2) 

(27) 

Note that [/ / ( 1 )^ / < 2 ) is the unitary operation on Alice's 
side. This implies that without Alice's help, Bob can- 
not change the density matrix he has from p I <. 1 )> J (V to 
pi<.2),J(2)_ That is why Bob's cheating strategy fails. 

In brief, Lo's no-go pro of on ideal one-sided two-party 
secure computations [30( cannot cover the above BC- 
based 1-2 QOT, because the proof studied merely the 
protocols in which the inputs of the participants are inde- 
pendent. As we mentioned, even the BB84 protocol does 
not satisfy this requirement, while it can still be used as 
a black box to build more sophisticated protocols, e.g., 
quantum secret sharing. Thus we see that black box pro- 
tocols do not necessarily require independent inputs of 
the participants. The model used in Lo's proof is too 
ideal, so that many useful protocols in quantum cryptog- 
raphy are not covered. 

Similarly, a recent no-go proof on two-sided two-party 
secure computations [38[ is also based on a model of pro- 
tocols with independent inputs, therefore its conclusion 
is not sufficiently general either. 

V. SUMMARY AND DISCUSSIONS 

We elaborated how Bob can make use of quantum en- 
tanglement to break the above BC-based QOT, even un- 
der certain practical settings in which the no-go proofs for 
secure QBC become invalid. Meanwhile, we also showed 
that BC-based QOT, though not unconditionally secure, 
can defeat certain kinds of cheating. Thus it is still 
valuable for building some "post-cold-war era" quantum 
cryptographies. 

These security/insecurity proofs are valid as long as 
the secure BC used in the QOT protocol is not a BCCC. 
Even relativistic BC and device-independent QBC are 
covered. But we should note that it does not mean that 
all QOT must not be unconditionally secure. This is 
because the existing method Q is not necessarily the 
only way to build OT from BC. Further more, there is 
no evidence indicating that OT has to be built upon BC. 
Therefore, it is still worth questioning whether other 
kinds of unconditionally secure OT exist, especially 
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relativistic OT. 
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